container (#938)

* Some small container related changes

Signed-off-by: Russell Coker <[email protected]>

Author: etbe

policy/modules/services/container.te

@@ -1011,6 +1011,10 @@ allow spc_t self:process { getcap setexec setrlimit };
 dontaudit spc_t self:process setfscreate;
 allow spc_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
 allow spc_t self:capability2 { bpf perfmon };
+
+# for qemu
+domain_mmap_low(spc_t)
+
 allow spc_t self:bpf { map_create map_read map_write prog_load prog_run };
 allow spc_t self:key manage_key_perms;
 allow spc_t self:alg_socket create_stream_socket_perms;

policy/modules/services/virt.fc

@@ -11,6 +11,9 @@ HOME_DIR/VirtualMachines/isos(/.*)?	gen_context(system_u:object_r:virt_content_t
 
 /etc/qemu(/.*)?		gen_context(system_u:object_r:virt_etc_t,s0)
 
+/etc/qemu	-d	gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/qemu/[^/]*	--	gen_context(system_u:object_r:virt_etc_t,s0)
+
 /etc/rc\.d/init\.d/(libvirt-bin|libvirtd)	--	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
 
 /etc/xen	-d	gen_context(system_u:object_r:virt_etc_t,s0)
@@ -23,7 +26,8 @@ HOME_DIR/VirtualMachines/isos(/.*)?	gen_context(system_u:object_r:virt_content_t
 /usr/lib/qemu/qemu-bridge-helper	--	gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
 
 /usr/libexec/libvirt_lxc	--	gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
-/usr/libexec/qemu-bridge-helper	gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
+/usr/libexec/qemu-bridge-helper	--	gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
+/usr/libexec/qemu/qemu-bridge-helper	--	gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
 /usr/libexec/libvirt_leaseshelper	--	gen_context(system_u:object_r:virt_leaseshelper_exec_t,s0)
 
 /usr/bin/condor_vm-gahp	--	gen_context(system_u:object_r:virtd_exec_t,s0)

policy/modules/services/virt.te

@@ -466,6 +466,7 @@ allow virtd_t self:packet_socket create_socket_perms;
 allow virtd_t self:netlink_generic_socket create_socket_perms;
 allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow virtd_t self:netlink_route_socket nlmsg_write;
+allow virtd_t self:anon_inode { create map read write };
 
 allow virtd_t virt_domain:process { getattr getsched rlimitinh setsched sigkill signal signull transition };
 dontaudit virtd_t virt_domain:process { noatsecure rlimitinh siginh };
@@ -586,6 +587,7 @@ kernel_read_network_state(virtd_t)
 kernel_rw_net_sysctls(virtd_t)
 kernel_read_kernel_sysctls(virtd_t)
 kernel_read_vm_overcommit_sysctl(virtd_t)
+kernel_read_vm_sysctls(virtd_t)
 kernel_request_load_module(virtd_t)
 kernel_search_debugfs(virtd_t)
 kernel_setsched(virtd_t)
@@ -612,6 +614,7 @@ corenet_tcp_connect_soundd_port(virtd_t)
 corenet_rw_tun_tap_dev(virtd_t)
 
 dev_rw_sysfs(virtd_t)
+dev_read_cpuid(virtd_t)
 dev_read_urand(virtd_t)
 dev_read_rand(virtd_t)
 dev_rw_kvm(virtd_t)
@@ -634,6 +637,7 @@ files_search_all(virtd_t)
 files_read_kernel_modules(virtd_t)
 files_read_usr_src_files(virtd_t)
 files_mounton_root(virtd_t)
+files_watch_etc_dirs(virtd_t)
 
 # Manages /etc/sysconfig/system-config-firewall
 # files_relabelto_system_conf_files(virtd_t)
@@ -1122,6 +1126,9 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
 
+allow virt_bridgehelper_t virt_etc_t:dir list_dir_perms;
+allow virt_bridgehelper_t virt_etc_t:file read_file_perms;
+
 manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
 
 kernel_read_network_state(virt_bridgehelper_t)
@@ -1165,6 +1172,8 @@ files_read_etc_files(virt_leaseshelper_t)
 allow virtlockd_t self:capability dac_override;
 allow virtlockd_t self:fifo_file rw_fifo_file_perms;
 allow virtlockd_t self:unix_stream_socket create_stream_socket_perms;
+allow virtlockd_t self:process getsched;
+allow virtlockd_t self:unix_dgram_socket create_socket_perms;
 
 allow virtlockd_t virtd_t:dir list_dir_perms;
 allow virtlockd_t virtd_t:file read_file_perms;
@@ -1188,11 +1197,17 @@ files_runtime_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
+kernel_getattr_proc(virtlockd_t)
+kernel_read_kernel_sysctls(virtlockd_t)
 kernel_read_system_state(virtlockd_t)
 
+dev_read_sysfs(virtlockd_t)
+
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 
+logging_send_syslog_msg(virtlockd_t)
+
 miscfiles_read_localization(virtlockd_t)
 
 virt_append_log(virtlockd_t)
@@ -1209,6 +1224,8 @@ allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
 allow virtlogd_t virtd_t:dir list_dir_perms;
 allow virtlogd_t virtd_t:file read_file_perms;
 allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+allow virtlogd_t self:process getsched;
+allow virtlogd_t self:unix_dgram_socket create;
 
 can_exec(virtlogd_t, virtlogd_exec_t)
 
@@ -1220,11 +1237,17 @@ files_runtime_filetrans(virtlogd_t, virtlogd_run_t, file)
 allow virtlogd_t virt_common_runtime_t:file append_file_perms;
 manage_files_pattern(virtlogd_t, virt_common_runtime_t, virt_common_runtime_t)
 
+kernel_getattr_proc(virtlogd_t)
+kernel_read_kernel_sysctls(virtlogd_t)
 kernel_read_system_state(virtlogd_t)
 
+dev_read_sysfs(virtlogd_t)
+
 files_read_etc_files(virtlogd_t)
 files_list_var_lib(virtlogd_t)
 
+logging_send_syslog_msg(virtlogd_t)
+
 miscfiles_read_localization(virtlogd_t)
 
 sysnet_dns_name_resolve(virtlogd_t)